US President Joseph Biden recently described our digital world as being at an “inflection point.” Indeed, the rapid proliferation of new technology has created complex, and sometimes hidden, digital interdependencies that are vulnerable to exploitation, challenging the private sector and government to contain risks before they become unmanageable. It is no surprise that cybersecurity is now an essential component of modern business.
Whether it is securing customer payment data or guarding the nation’s most critical infrastructure from state-sponsored hackers, companies across numerous industries are coming to terms with the importance of cybersecurity controls and accepting one undeniable truth—keeping up with the cyberthreat landscape is difficult but imperative. Each day, more components of daily life are becoming digitized and integrated with other digital systems, thereby presenting more necessity, complexity, and risk.
The confluence of digital systems in the electric vehicle (EV) industry is a perfect example of that phenomenon. Deploying EVs and EV supply equipment (EVSE), such as charging equipment, involves multiple interconnected platforms, connections to electric grid infrastructure, and exchanges of operational and customer data, all spread over a wide geographic footprint, presenting a target rich environment for threat actors.
For example, a large-scale compromise of grid-connected EVSE could cause electric distribution system disturbances by manipulating load patterns or system voltage. Threat actors could also introduce malicious software to a customer’s EV by first compromising an unsecured charging station to which that EV eventually connects.
Data privacy risks are also present. The EV ecosystem involves many different exchanges of customer information, including personally identifiable information and payment information. Such data, whether stored locally on the EVSE or in a remote server, presents a valuable target for threat actors.
Data concerns are not just limited to foul play. Inadvertent data disclosures or larger breaches due to poor data management practices will invite scrutiny and legal liability. To address these risks, EV and EVSE companies will need to shore up cybersecurity risk management practices while keeping the following challenges in mind.
- Regulatory Uncertainty: While regulations are often accompanied by compliance and legal risks, they can also be useful for the private sector, as other industries have demonstrated. Mandatory requirements establish a baseline set of principles for the industry and drive accountability within regulated organizations. There are currently no mandatory cybersecurity requirements in place for the EV ecosystem. However, the federal government may be ready to change its approach. Earlier this year, the Biden administration released its National Cybersecurity Strategy, which concluded that mandatory cybersecurity requirements should be implemented for key critical infrastructure sectors because voluntary approaches have thus far been inadequate. While that call for regulation is currently just a policy declaration—and even so is not applicable to all commercial EVs or EVSE—it is possible the federal government will continue exploring the need for additional legal authorities to make EV cybersecurity regulation a reality.
- Evolving Data Privacy Laws: As recent data privacy lawsuits in California and Illinois demonstrate, managing the appropriate use of customer data is becoming increasingly challenging. There is a patchwork of state-mandated privacy laws covering everything from Social Security numbers to biometric information. Adding to the challenge is the speed with which the legal landscape is changing. In the absence of a comprehensive federal data privacy framework, more and more states are enacting privacy legislation.
- Secure by Design and Liability Risks: In engineering parlance, “secure by design” means that a product is designed to be as foundationally secure from vulnerabilities as possible. Many products in the marketplace today are not designed with those principles in mind and are deployed with significant security vulnerabilities that can be exploited by threat actors. EV and EVSE manufacturers will need to pay particularly close attention to the cybersecurity risks across the entire lifecycle of a vehicle or a charging station (from conception to decommissioning) posed by items or software in their supply chains to avoid issues down the line.
There are several key steps that EV and EVSE manufacturers can take today to limit their cybersecurity exposure and the attendant legal risk. First, EV and EVSE manufacturers should establish robust internal cybersecurity programs to identify and implement cybersecurity protections for vehicles and charging stations.
Those programs should use a risk-based approach to prioritize the most critical systems that pose the greatest risks to health and human safety. Cybersecurity programs should also have incident response plans that are designed to ensure recovery from cybersecurity incidents, robust cybersecurity awareness training, and procedures to encourage information sharing within relevant industry groups (for example, through the Automotive Information Sharing and Analysis Center or Auto-ISAC).
Second, in the absence of mandatory federal requirements, EV and EVSE manufacturers should carefully evaluate existing voluntary programs and guidance for cybersecurity risk management. For example, the US Department of Transportation’s National Highway Traffic Safety Administration recently refreshed its Cybersecurity Best Practices for the Safety of Modern Vehicles.
The Federal Highway Administration also published a final rule establishing new minimum standards and regulatory requirements for light-duty EV chargers funded under the Infrastructure Investment and Jobs Act. Other standards-setting organizations have released cybersecurity frameworks specific to the EV industry, such as the International Organization for Standardization’s ISO/SAE 21434:2021.
The National Institute for Standards and Technology is also developing a cybersecurity framework that will provides users with a national-level, risk-based approach for managing cybersecurity activities for EV extreme fast charging (XFC) infrastructure.
Third, EV and EVSE companies should implement supply chain risk management programs to evaluate critical commercial hardware and software components used in EVs and charging equipment. As most of those supply chain risks originate with vendors of products and services, supply chain risk management programs should address vendor risks at each stage of the procurement lifecycle—from initial identification of the vendor, to the installation of products or implementation of services, and finally through the termination of the vendor relationship. EV and EVSE companies developing new programs can consider approaches taken in critical infrastructure sectors, such as the electric power industry, to identify, assess, and mitigate vendor risks.
Fourth, EV and EVSE organizations should foster a culture that prioritizes cybersecurity awareness. This includes elevating the risk management discussion to the highest levels within the organization and ensuring that key members have a seat at the table when addressing cybersecurity.
Additionally, EV and EVSE companies should regularly engage with government stakeholders when appropriate to do so, proactively participate in administrative rulemakings and notice and comment proceedings, and explore direct engagement opportunities with regulators. Ultimately, it is important to educate regulators to ensure that mandatory requirements, if implemented, are operationally and commercially viable for the regulated industry.
Opportunities and challenges continue to emerge in the ever-evolving automotive and mobility space, including developing hydrogen fuel infrastructure; safeguarding EVs, EV supply equipment, and the electrical grid from cyber threat actors; and introducing more complex ADAS technologies in passenger and commercial vehicles.